authentication.php

Levels and Roles

This is where you create the auth levels with associated role names that will be used by your application. Unless you have a basic e-commerce type website, your specific application will probably have different roles.

If you are going to change the levels and roles, admin always needs to be called admin, but you can create as many different auth levels and roles as you want. Using some functions of the authentication library, privileges are linear in nature, so keep that in mind as you create your levels and roles. Also, if you want to create auth levels that are numbered higher than 99, make sure to adjust the auth_level field in the users table to accommodate the larger number.

Groups

$config['groups'] = array(
'employees' => 'manager,admin'
);

If you’ve got a bunch of user roles, you may group them. This may mean less typing for you as you develop your application, because you can refer to multiple user roles as a group.

Add ACL Query to Authentication Functions

$config['add_acl_query_to_auth_functions'] = FALSE;

This configuration option turns on an additional query to retrieve a logged in user’s ACL records when they login or when login status is checked. If you’re not going to implement your own ACL categories, actions, and take the time to create an interface to manage the ACL, then you would leave this set to FALSE. Furthermore, basic ACL usage doesn’t require that this option be set to true, because usage of the acl_permits method will query the database if it hasn’t already been done.

Maximum Allowed Login Attempts

$config['max_allowed_attempts'] = 5;

This setting controls how many attempts a person, recognized by IP address and the username or email they are trying to login with, should be able to have before being locked out for a period of time.

Deny Access At

$config['deny_access_at'] = 10;

If for some reason login attempts exceed the Maximum Allowed Login Attempts value, then when they reach the number held in this setting, the IP address associated with the login is added to the deny list in the local Apache configuration file. Set to 0 (zero) to disable.

Apache Config File Location

$config['apache_config_file_location'] = FCPATH . '.htaccess';

The location, including filename, of your Apache config file should be set here. Please see the provided .htaccess file for two lines of code that MUST be in your Apache config file if you want Community Auth to manage the deny list for you:

# BEGIN DENY LIST --
# END DENY LIST --

Seconds on Hold

$config['seconds_on_hold'] = 600;

This setting controls how long a person is locked out when they exceed the maximum allowed login attempts. The default setting is 600 seconds, or 10 minutes. When locked out, password recovery is also disabled.

This setting has nothing to do with IP adresses that are added to the deny list by the Deny Access functionality. Those IP addresses are permanently blocked until an admin removes the block.

Disallow Multiple Logins

$config['disallow_multiple_logins'] = FALSE;

This setting, FALSE by default, may disallow a user from being logged in on multiple devices, or restrict authenticated sessions to a single entry in the auth_sessions table. When a person logs in, if this setting is set to TRUE, any existing authenticated session will be dropped.

As of December 25, 2015, Community Auth changed the way this setting effects overall security. It is no longer a benefit to disallow multiple logins. The change was that instead of having a single session ID stored in the user table, a new table was added to track valid sessions used for authentication. Leaving this setting set to FALSE is suggested, as it is more convenient for your website users to use multiple devices to access your website.

Encrypt Auth Identifier

$config['encrypt_auth_identifier'] = FALSE;

This setting turns on or off the encryption of the authentication identifier. While it may be very difficult for somebody to view the contents of this identifier, doing so may enable them to know the user’s ID, the user’s last modification date, and the user’s login time. For especially sensitive applications, you should set this to TRUE.

Encrypt All Cookies

$config['encrypt_all_cookies'] = TRUE;

This setting turns on or off the encryption of all cookies set by CodeIgniter, and therefore Community Auth. Because the tokens cookie must always be encrypted, this setting has no effect on it, but will automatically encrypt cookies set with Input::set_cookie(), and decrypt cookies retrieved with Input::cookie(). If your application is setting and retrieving cookies with plain PHP, they will not be encrypted or decrypted.

Allow Remember Me

$config['allow_remember_me'] = FALSE;

This setting allows you to turn on and off the ability to have a persistant login where users may choose to stay logged in even after the browser has closed. When turned on, the login form shows a “Remember Me” checkbox. Remember Me is off by default.

Remember Me Cookie Name

$config['remember_me_cookie_name'] = 'rememberMe';

This setting allows you to choose the name of the Remember Me cookie. Some versions of Internet Explorer don’t like underscores, so don’t use them if you change the provided name.

Remember Me Expiration

$config['remember_me_expiration'] = 93062220;

How long (in seconds) the Remember Me functionality allows the session to last. Based on the needs of your website, you might choose a duration that is shorter or longer than the provided setting, which is just under 3 years. You might not need Community Auth’s Remember Me functionality if you configure CodeIgniter’s session to be persistent by default, but Remember Me allows you to have both a session that ends when the browser closes, and a session that ends at the time specified in this setting.

HTTP User Cookie Name

$config['http_user_cookie_name'] = 'httpUser';

While the authentication cookie is handled in the session, the http user cookie allows for some user data to be stored so that the user is semi-identifiable, or for other general purpose use related to the logged in user. DO NOT USE FOR AUTHENTICATION!

HTTP User Cookie Elements

$config['http_user_cookie_elements'] = array('username');

This setting allows you to customize the data that is stored in the HTTP user cookie. By default, only the username is stored, but any element returned in the auth data (when a user logs in) can be added to the array.

DO NOT ADD ELEMENTS THAT ARE CONSIDERED SENSITIVE, ESPECIALLY IF YOU ARE NOT ENCRYPTING ALL COOKIE CONTENTS!

Tokens Cookie Config

Token cookies are a lot like CodeIgniter’s CSRF protection, and can be used in conjunction with it. You shouldn’t really have a reason to change anything here, but all you need to know is that the token “jar” is an array of acceptable tokens, and you can control how many are stored, and the names of the cookies.

Recovery Code Expiration

$config['recovery_code_expiration'] = 60 * 60 * 2;

An account recovery code shouldn’t last forever, and this setting allows you to change how long the code is good for. By default the recovery code is good for two hours.

Delete Session Cookie On Logout

$config['delete_session_cookie_on_logout'] = FALSE;

If set to true, a user that logs out will have their session completely destroyed.

Show Login Form on Logout

$config['show_login_form_on_logout'] = TRUE;

When a person logs out they will see a confirmation, and this setting will make the login form appear on that logout confirmation screen (or not).

Default Login Redirect

$config['default_login_redirect'] = '';

When a person logs in, they will usually be redirected back to the page they were trying to access, but it some cases a redirect may not have been specified. This setting is a URI STRING to redirect to when no redirect has been specified, and because it is blank by default, it redirects the user back to the home page.

Allowed Pages for Login

$config['allowed_pages_for_login'] = array();

Besides the login page specified in auth_constants.php, you can allow other pages to have login forms on them, but you need to add them to this array.

Redirect to HTTPS

$config['redirect_to_https'] = FALSE;

A strong security policy does not allow for HTTP pages to be redirected to HTTPS. If set to TRUE, an attempt to access a page where SSL is forced will redirect to the HTTPS version. If set to FALSE, a 404 error is generated.

Login Form Validation File

This setting is a path to a config file to load for form validation rules used during a login attempt. You will most likely change this setting if you create a new set of validation rules and save it somewhere else.

Declared Auth Model

$config['declared_auth_model'] = 'auth_model';

Community Auth makes it easy to extend it’s Auth model by allowing you declare your own model. When creating your own model, make sure it extends Auth_model, unless you intend to replace the entire Auth model with your own.

Handle Auth Sessions GC on Logout

$config['auth_sessions_gc_on_logout'] = TRUE;

By default, garbage collection for the auth_sessions table is handled when any user logs out. This is fine for most sites, provided that you can count on a decent percentage of your users logging out. A better way to handle this garbage collection may be to create a cron job for the garbage collection routine.

Community Auth comes with a Crons controller, and if you copy it to your application/controllers directory, you can run the auth_sessions_gc method at whatever interval suits your needs. If you use a cron job to handle garbage collection for the auth sessions table, you can set this setting to FALSE.